There is no such thing as IT governance! It should be part and parcel of enterprise governance. It is only because IT has been ignored in the boardroom that an institute and a body of knowledge are needed. The results of not being on the agenda of boards and executives are that the value and opportunities of IT are not sufficiently leveraged and its risks are not well understood or mitigated.

Proper governance of IT is no luxury; it is a basic necessity of modern enterprises. Gartner pointed out several years ago that billions of US dollars are lost every year on ill-conceived or poorly managed IT projects, and The Standish Group confirms that trend every 18 months with its state of affairs on IT projects worldwide.

What is going wrong? The bottom line is that enterprises need to change their thinking and their culture. When thinking about how this could be summarised, the number four started playing an important role. The ‘Four Ares’ as explained in Val IT¹ are a good guide to think about what needs to be done to get value from IT. The following four rules will help businesses to start thinking about the major changes needed:

1. IT governance is about effectiveness. Businesses need to do the right things, such as investing in the initiatives that make the business better. This is the first of the ‘Four Ares’ shown in figure 1. Articles, surveys and presentations continually emphasise business and IT alignment, but what really should be talked about is sharing between business and IT: sharing the decision making in steering committees; sharing understanding and skills through co-operation and multi-disciplinary teams; and sharing responsibilities, risks and rewards.
2. Uncertainty must be accepted. This goes ‘against the grain’ of chief financial officers and other executives looking for hard numbers, but there are so many variables, including project costs, delivery time, customer behaviours and market assumptions, that mechanisms are needed to put organisations in a position to take timely corrective action. Only then will organisations dare to embark on initiatives that are uncertain but have the potential to result in huge returns, while at the same time be able to redirect or stop those that provide increasing indications of not delivering the expected benefits.
3. IT governance is about completeness. The business case of IT projects needs to be complete, i.e., it needs to cover all the activities necessary to obtain the promised benefits—from inception of the idea to retirement of the service. The latter is already a big challenge requiring cultural changes because ongoing service delivery is rarely considered as part of a business case and the cost of taking an application out of service altogether is almost never considered. This relates to the second and third ‘Ares’, challenging whether the business has the right business and technology architecture and delivers against established quality standards.
4. IT governance is about accountability. If promises are made about the benefits that will be created by an ITenabled business initiative, someone needs to be accountable for those benefits. Accountability goes beyond delivering the IT services, because the ultimate benefits usually occur only as a result of associated business process changes. Whilst technical IT projects appeal to project leaders, few have the courage to step forward to lead projects that have a strong organisational and people impact. Nevertheless, there is significant evidence that such initiatives, whilst uncertain at the start, often have a major return on investment. Accountability not only applies when things go wrong, but also when rewards are apportioned upon success.

In addition to the ‘Four Ares’, these four rules can help enterprises change their thinking about IT and start considering it as everything else in enterprise management. IT needs governance just as human resources, knowledge and finance do. And, when organisations invest in IT, they need to consider it as any other investment (i.e., there is no such thing as IT governance, only enterprise governance). Even though IT needs to be governed better, it is important to remember that IT is ultimately a supporting function because it needs to do what the business needs it to do to enable the creation of business benefits. It cannot be said better than with the words of one CIO in the finance industry: ‘IT has no budget, and IT creates no value’.

Endnotes

¹ Based on the ‘Four Ares’ as described by John Thorp in his book, The Information Paradox, written jointly with Fujitsu, first published in 1998 and revised in 2003

Erik Guldentops, CISA, CISM
is an executive professor at the University of Antwerp Management School (Belgium). He has initiated and provided leadership to the COBIT and Val IT initiatives since their inception.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.